-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy path00_rbac.yaml
102 lines (95 loc) · 2.68 KB
/
00_rbac.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
apiVersion: v1
kind: Namespace
metadata:
name: clustersecret
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: clustersecret
name: clustersecret-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clustersecret-role-cluster
rules:
# Framework: knowing which other operators are running (i.e. peering).
- apiGroups: [clustersecret.io]
resources: [clusterkopfpeerings]
verbs: [list, watch, patch, get]
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [list, get, patch]
# Framework: posting the events about the handlers progress/errors.
- apiGroups: [events.k8s.io]
resources: [events]
verbs: [create]
- apiGroups: [""]
resources: [events]
verbs: [create]
# Application: read-only access for watching cluster-wide.
- apiGroups: [clustersecret.io]
resources: [clustersecrets]
verbs: [watch, list, get, patch, update, create, delete]
# Watch namespaces
- apiGroups: [""]
resources: [namespaces, namespaces/status]
verbs: [watch, list, get, patch]
# Handle secrets
- apiGroups: [""]
resources: [secrets]
verbs: [watch, list, get, patch, update, create, delete]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: "clustersecret"
name: clustersecret-role-namespaced
rules:
# Framework: knowing which other operators are running (i.e. peering).
- apiGroups: [clustersecret.io]
resources: [kopfpeerings]
verbs: [list, watch, patch, get]
# Framework: posting the events about the handlers progress/errors.
- apiGroups: [events.k8s.io]
resources: [events]
verbs: [create]
- apiGroups: [""]
resources: [events]
verbs: [create]
# Application: other resources it produces and manipulates.
# Here, we create secrets, but we do not delete them ever.
- apiGroups: [""]
resources: [secrets]
verbs: [create,update,patch]
# Application: get and patch clustersecrets for status patching
- apiGroups: [clustersecret.io]
resources: [clustersecrets]
verbs: [get,patch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: clustersecret-rolebinding-cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clustersecret-role-cluster
subjects:
- kind: ServiceAccount
name: clustersecret-account
namespace: "clustersecret"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: "clustersecret"
name: clustersecret-rolebinding-namespaced
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: clustersecret-role-namespaced
subjects:
- kind: ServiceAccount
name: clustersecret-account